Technical Standard Data Security Categorization Document Owner: Chief Information Security Officer Document ID: TS-Data Cat-001 Technical Area: Office of Information Security Effective Date: 2015-06-19 Version: 1.0 Last Reviewed Date: 2015 -06-18 1. Purpose: The purpose of this standard is to ensure that State of Colorado information assets are identified, categorized and protected throughout their lifecycles. Information must be properly managed from its creation to disposal. As with other assets, not all information has the same value or importance to the state and, therefore, requires different levels of protection. Information security categorization and data management are critical to translating such requirements into security controls, access control policies and implementation costs. The data security categories are based on the potential impact on an agency should certain events occur which jeopardize the information and information systems needed by the agency to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day business functions and protect individuals. Security categories are used in conjunction with vulnerability and threat information in assessing the risk to an agency. Data categorization involves close collaboration between business units and IT organizations to work through issues that go well beyond IT. The security categorization of data is a business function, not an IT function. The categorization of data is based on business rules along with federal and state regulations. This standard collectively applies to all information assets, including but not limited to electronic, multi-media, geospatial, paper and film. This standard supersedes Information Asset Classification Policy, Policy # DAT 100-00. 2. Scope - Organizations Affected This standard document applies to the Governors Office of Information Technology (OIT) and all consolidated executive branch agencies that OIT serves. 3. References 3.1. C.R.S. § 24-37.5-401, et seq. 3.2. Senate Bill 08-155 as codified in C.R.S. § 24-37.5-101 et seq. 3.3. Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems Federal Information Processing Standard (FIPS) 200, “Minimum Security Requirements for Federal Information and Information Systems Technical Standard Page 1 of 7 State of Colorado | Governor’s Office of Information Technology - Technical Standard Data Security Categorization Document Owner: Chief Information Security Officer Document ID: TS-Data Cat-001 Technical Area: Office of Information Security Effective Date: 2015-06-19 Version: 1.0 Last Reviewed Date: 2015 -06-18 3.4. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, rev. 4, “Recommended Security Controls for Federal Information Systems” 4. Definitions For the purposes of this document, refer to C.R.S. § 24-37.5-102 et seq. and the Colorado Information Security Program Policy Glossary for any terms not specifically defined herein. The Glossary is posted in the same location as the Colorado Information Security Policies. 4.1. Assurance: Measure of confidence that the security features, practices, procedures, and architecture of an information system accurately mediates and enforces the security policy. 4.2. Authentication Credential: A type of authenticator possessed by a user that provides a strong mechanism used to prove the credential holder’s identity. Examples include a user name and password, PKI certificate, or a Personal Identity Verification card. 4.3. Availability: The reliability and accessibility of data and resources to authorized individuals in a timely manner. 4.4. CIA: Confidentiality, Integrity, and Availability: the three security objectives for protection of information and information systems. 4.5. Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. 4.6. Critical Infrastructure: An application, including the physical or virtual system assets that provide critical services to the public and its operation serves a vital function to government, but does not impact life safety. 4.7. Essential Infrastructure: An application, including the physical or virtual system assets that provides essential services to the public which is so important to the agency that its loss or unavailability is unacceptable due to life safety issues. 4.8. Information: Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual. 4.9. Information Owner: Official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal. Technical Standard Page 2 of 7 State of Colorado | Governor’s Office of Information Technology - Technical Standard Data Security Categorization Document Owner: Chief Information Security Officer Document ID: TS-Data Cat-001 Technical Area: Office of Information Security Effective Date: 2015-06-19 Version: 1.0 Last Reviewed Date: 2015 -06-18 4.10. Information System: A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. 4.11. Information System Owner: Official responsible for the overall procurement, development, integration, modification, or operation and maintenance of an information system. All Agency information systems are required to have a System Owner. This person is responsible for system access approvals and for annual system access reviews. 4.12. Integrity: Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. 4.13. Personally Identifiable Information (PII): Information which can be used to distinguish or trace the identity of an individual (e.g., name, social security number, biometric records, etc.) alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual (e.g., date and place of birth, mother’s maiden name, etc.). 4.14. Potential Impact: There are four (4) levels of potential impact on an agency or individual should there be a breach of security (i.e., a loss of confidentiality, integrity or availability). 4.15. Public Key Infrastructure (PKI): A service that provides cryptographic keys needed to perform digital signature-based identity verification, and to protect communications and storage of sensitive data. 4.16. Security Category: The characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on organizational operations, organizational assets, individuals, other organizations, and the state. 4.17. Sensitive Information: Any information where the loss, misuse, unauthorized access to or modification of which could adversely affect the interest or the conduct of information systems, or the privacy to which individuals are entitled. 5. Standards 5.1. Asset Categorization Levels Each Information System Owner is required to identify its information assets for the purpose of defining its potential impact should there be a loss of data confidentiality, integrity and/or availability (CIA). Information System Owners must Technical Standard Page 3 of 7 State of Colorado | Governor’s Office of Information Technology - Technical Standard Data Security Categorization Document Owner: Chief Information Security Officer Document ID: TS-Data Cat-001 Technical Area: Office of Information Security Effective Date: 2015-06-19 Version: 1.0 Last Reviewed Date: 2015 -06-18 use the categorization schema included in this standard to differentiate between various levels of sensitivity and value. All information assets must be categorized strictly according to their level of potential impact as follows. 5.1.1. Minimal (or Public): The loss of CIA could be expected to have a minimal adverse effect on agency operations, organizational assets or individuals. 5.2. Minimal impact data – also defined as ‘Public’ data - is characterized as having no distribution limitations and to which anonymous access is allowed. These data elements form information that is actively made publicly available by state government. This includes information regularly made available to the public via electronic, verbal or hardcopy media, and is governed under the Colorado Open Records Act (CORA) (C.R.S. § 24-72-201 to 24-72-309) which requires that most public records be open for inspection by the public. 5.3. Examples of the data security categorization of Minimal (or Public) include press releases, brochures, public access web sites and materials made for public consumption. 5.4. A minimal adverse effect means that, for example, the loss of confidentiality, integrity or availability might: (i) result in minimal harm to individuals. 5.5. The greatest security threat to this data is from unauthorized or unintentional alteration, distortion or destruction of this data. Security efforts appropriate to the criticality of the system containing this data must be taken to maintain its integrity. 5.5.1. Low: The potential impact is Low if the loss of CIA could be expected to have a limited adverse